Search

Find a vulnerability

Search criteria

    1 vulnerability by goharbor

    CVE-2025-32019 (GCVE-0-2025-32019)

    Vulnerability from cvelistv5 – Published: 2025-07-23 20:38 – Updated: 2025-07-23 20:47
    VLAI
    Title
    Harbor's repository description page allows for XSS
    Summary
    Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3.
    Severity
    4.1 (Medium)
    CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    References
    Impacted products
    Vendor Product Version
    goharbor harbor Affected: >= 2.12.0-rc1, < 2.12.4-rc1
    Affected: >= 2.13.0-rc1, < 2.13.1-rc1
    Affected: <= 2.4.0-rc1.1, < 2.11.3
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-32019",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-23T20:47:38.788563Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-07-23T20:47:47.745Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "harbor",
          "vendor": "goharbor",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.12.0-rc1, \u003c 2.12.4-rc1"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.13.0-rc1, \u003c 2.13.1-rc1"
            },
            {
              "status": "affected",
              "version": "\u003c= 2.4.0-rc1.1, \u003c 2.11.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Harbor is an open source trusted cloud native registry project that stores, signs, and scans content. Versions 2.11.2 and below, as well as versions 2.12.0-rc1 and 2.13.0-rc1, contain a vulnerability where the markdown field in the info tab page can be exploited to inject XSS code. This is fixed in versions 2.11.3 and 2.12.3."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "NONE",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-79",
              "description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-23T20:38:10.966Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/goharbor/harbor/security/advisories/GHSA-f9vc-vf3r-pqqq"
        },
        {
          "name": "https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/goharbor/harbor/commit/76c2c5f7cfd9edb356cbb373889a59cc3217a058"
        },
        {
          "name": "https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/goharbor/harbor/commit/a13a16383a41a8e20f524593cb290dc52f86f088"
        },
        {
          "name": "https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/goharbor/harbor/commit/f019430872118852f83f96cac9c587b89052d1e5"
        }
      ],
      "source": {
        "advisory": "GHSA-f9vc-vf3r-pqqq",
        "discovery": "UNKNOWN"
      },
      "title": "Harbor\u0027s repository description page allows for XSS"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-32019",
    "datePublished": "2025-07-23T20:38:10.966Z",
    "dateReserved": "2025-04-01T21:57:32.954Z",
    "dateUpdated": "2025-07-23T20:47:47.745Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}